AutoVulnPHP: LLM-Powered Two-Stage PHP Vulnerability Detection and Automated Localization

TL;DR

AutoVulnPHP is a comprehensive framework that combines two-stage vulnerability detection with precise localization in PHP code, leveraging large datasets, static and semantic analysis, and large language models to improve accuracy and reduce false positives.

Contribution

It introduces AutoVulnPHP, the first large-scale PHP vulnerability dataset and a novel two-stage detection and localization framework utilizing LLMs and structural analysis.

Findings

Achieves 99.7% detection accuracy and 99.5% F1 score.

Localizes vulnerabilities with 81.0% success rate.

Discovered 429 new vulnerabilities in real-world PHP repositories.

Abstract

PHP's dominance in web development is undermined by security challenges: static analysis lacks semantic depth, causing high false positives; dynamic analysis is computationally expensive; and automated vulnerability localization suffers from coarse granularity and imprecise context. Additionally, the absence of large-scale PHP vulnerability datasets and fragmented toolchains hinder real-world deployment. We present AutoVulnPHP, an end-to-end framework coupling two-stage vulnerability detection with fine-grained automated localization. SIFT-VulMiner (Structural Inference for Flaw Triage Vulnerability Miner) generates vulnerability hypotheses using AST structures enhanced with data flow. SAFE-VulMiner (Semantic Analysis for Flaw Evaluation Vulnerability Miner) verifies candidates through pretrained code encoder embeddings, eliminating false positives. ISAL (Incremental Sequence Analysis for Localization) pinpoints root causes via syntax-guided tracing, chain-of-thought LLM inference, and causal consistency checks to ensure precision. We contribute PHPVD, the first large-scale PHP vulnerability dataset with 26,614 files (5.2M LOC) across seven vulnerability types. On public benchmarks and PHPVD, AutoVulnPHP achieves 99.7% detection accuracy, 99.5% F1 score, and 81.0% localization rate. Deployed on real-world repositories, it discovered 429 previously unknown vulnerabilities, 351 assigned CVE identifiers, validating its practical effectiveness.